Re: [DISCUSS] Expose or setup a secur...@flink.apache.org mailing list for security report and discussion

Turns out we already have a link to the Apache security page; in the Apache section at the very bottom of the sidebar. If I open the page it is unfortunately not visible...there are too many things in the sidebar. Nevertheless an additional entry as done in the PR cannot hurt. I'm taking a l

Re: [DISCUSS] Expose or setup a secur...@flink.apache.org mailing list for security report and discussion

Hi all, Just sync the results of the vote for setup a mailing list security@f.a.o that it has been rejected [1]. Another very important thing is that all the people agree that there should be a guideline on how to report security issues in Flink website. Do you think we should bring up a separate

Re: [DISCUSS] Expose or setup a secur...@flink.apache.org mailing list for security report and discussion

Hi all, There are no new feedbacks and it seems that we have received enough feedback about setup a secur...@flink.apache.org mailing list[1] for security report and discussion. It shows that it's optional as we can use either secur...@flink.apache.org or sec

Re: [DISCUSS] Expose or setup a secur...@flink.apache.org mailing list for security report and discussion

Hi all, Thanks for sharing your thoughts. Appreciated! Let me try to summarize the information and thoughts received so far. Please feel free to let me know if there is anything wrong or missing. 1. Setup project specific security mailing list Pros: - The security reports received by secur...@apa

Re: [DISCUSS] Expose or setup a secur...@flink.apache.org mailing list for security report and discussion

Thanks for bringing this up, Dian. +1 on creating a project specific security mailing list. My two cents, I think it is worth doing in practice. Although the ASF security ML is always available, usually all the emails are simply routed to the individual project PMC. This is an additional hop. And

Re: [DISCUSS] Expose or setup a secur...@flink.apache.org mailing list for security report and discussion

Thanks for bringing up this discussion Dian! How to report security bugs to our project is a very important topic! Big +1 on adding some explicit instructions in our document about how to report security issues, and I suggest to open another thread to vote the reporting way in Flink. FWIW, known

Re: [DISCUSS] Expose or setup a secur...@flink.apache.org mailing list for security report and discussion

Source: https://www.apache.org/security/ Now, we can of course setup such a mailing list (as outlined here https://www.apache.org/security/committers.html), but I'm not sure if it is necessary since the number of reports is _really_ low. On 14/11/2019 11:03, Chesnay Schepler wrote: AFAIK, the

Re: [DISCUSS] Expose or setup a secur...@flink.apache.org mailing list for security report and discussion

AFAIK, the official way to report vulnerabilities in any apache project is to write to secur...@apache.org and/or notify the respective PMC. So far, we had several reports that went this route, hence I'm not convinced that an additional ML is required. I would be fine with an additional paragr

Re: [DISCUSS] Expose or setup a secur...@flink.apache.org mailing list for security report and discussion

Hi Dian, Good idea and +1 to setup security mailing list. Security vulnerabilities should not be publicly disclosed (e.g. via dev ML or JIRA) until the project has responded. However, AFAIK, Flink doesn't have an official process to report vulnerabilities. It would be nice to have one to protect F

Re: [DISCUSS] Expose or setup a secur...@flink.apache.org mailing list for security report and discussion

Hi Dian, Good idea! +1 to have a security mailing list. It is nice for Flink to have an official procedure to handle security problems, e.g., reporting, addressing and publishing. Best, Hequn On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang wrote: > Thanks Dian Fu for this proposal. +1 for creating

Re: [DISCUSS] Expose or setup a secur...@flink.apache.org mailing list for security report and discussion

Thanks Dian Fu for this proposal. +1 for creating security mail list. To be noticed, security mail list is private mail list, could not be subscribed publicly. FYI, apache member can create mail list using this self service tool https://selfserve.apache.org/ jincheng sun 于2019年11月14日周四 下午12:25写道

Re: [DISCUSS] Expose or setup a secur...@flink.apache.org mailing list for security report and discussion

Hi Dian, Thanks a lot for bringing up this discussion. This is very important for Flink community! I think setup a security mailing list for Flink is pretty nice although ` secur...@apache.org` can be used and the report will be forwarded to Flink private mailing list if there is no project speci

[DISCUSS] Expose or setup a secur...@flink.apache.org mailing list for security report and discussion

Hi all, I'm reaching out to see if there is an existing security specific mailing list in Flink. If there is, we should expose it in the offcial web site of Flink [1] to guide people to report security issues to this mailing list. If it still doesn't exist, I'm here to propose to setup a secur.